Victor Kimura
asked on
open port 993, 995, 110, 143 for mail server
Hi,
I'm trying to open up the ports for the mail server ports: 993, 995, 110, 143.
When I use:
when I use nmap --open though I get this:
I tried this:
sudo iptables -A INPUT -p tcp --dport 993 -j ACCEPT
and also this:
sudo ufw allow 993
but the nmap is still the same. I tried testing with telnet and openssl s_client -connect but the ports are, obviously, closed. What am I missing?
Much thanks and Father God bless<><,
Victor
I'm trying to open up the ports for the mail server ports: 993, 995, 110, 143.
When I use:
sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22 ALLOW IN Anywhere
80 ALLOW IN Anywhere
443 ALLOW IN Anywhere
25 ALLOW IN Anywhere
587 ALLOW IN Anywhere
110 ALLOW IN Anywhere
995 ALLOW IN Anywhere
143 ALLOW IN Anywhere
993 ALLOW IN Anywhere
993/tcp ALLOW IN Anywhere
22 (v6) ALLOW IN Anywhere (v6)
80 (v6) ALLOW IN Anywhere (v6)
443 (v6) ALLOW IN Anywhere (v6)
25 (v6) ALLOW IN Anywhere (v6)
587 (v6) ALLOW IN Anywhere (v6)
110 (v6) ALLOW IN Anywhere (v6)
995 (v6) ALLOW IN Anywhere (v6)
143 (v6) ALLOW IN Anywhere (v6)
993 (v6) ALLOW IN Anywhere (v6)
993/tcp (v6) ALLOW IN Anywhere (v6)
when I use nmap --open though I get this:
Not shown: 991 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
443/tcp open https
587/tcp open submission
783/tcp open spamassassin
3306/tcp open mysql
5432/tcp open postgresql
10024/tcp open unknown
I tried this:
sudo iptables -A INPUT -p tcp --dport 993 -j ACCEPT
and also this:
sudo ufw allow 993
but the nmap is still the same. I tried testing with telnet and openssl s_client -connect but the ports are, obviously, closed. What am I missing?
Much thanks and Father God bless<><,
Victor
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@David359,
I get this:
Wondering if I should install it? I think Ubuntu uses the UFW. Should I use that instead of the UFW command?
I get this:
firewall-cmd --zone=public --add-port=993/tcp --permanent
The program 'firewall-cmd' is currently not installed. You can install it by typing:
sudo apt-get install firewalld
Wondering if I should install it? I think Ubuntu uses the UFW. Should I use that instead of the UFW command?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
On my Ubuntu machine, ports 110 and 143 are open on the machine IP address but Not on localhost. I don't have the 'secure' ports enabled in the mail server.
ASKER
@David359, Ok thanks.
@Dave Baldwin, was that by default that the ports 110 and 143 were opened?
I ran the sudo iptables -L and got the following. It looks like the ports are opened but I can't telnet or nmap can't see it opened:
@Dave Baldwin, was that by default that the ports 110 and 143 were opened?
I ran the sudo iptables -L and got the following. It looks like the ports are opened but I can't telnet or nmap can't see it opened:
sudo iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
ufw-before-logging-input all -- anywhere anywhere
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
ufw-after-logging-input all -- anywhere anywhere
ufw-reject-input all -- anywhere anywhere
ufw-track-input all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
Chain FORWARD (policy DROP)
target prot opt source destination
ufw-before-logging-forward all -- anywhere anywhere
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
ufw-after-logging-forward all -- anywhere anywhere
ufw-reject-forward all -- anywhere anywhere
ufw-track-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- anywhere anywhere
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
ufw-after-logging-output all -- anywhere anywhere
ufw-reject-output all -- anywhere anywhere
ufw-track-output all -- anywhere anywhere
Chain fail2ban-ssh (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain ufw-after-forward (1 references)
target prot opt source destination
Chain ufw-after-input (1 references)
target prot opt source destination
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc
ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
target prot opt source destination
Chain ufw-after-output (1 references)
target prot opt source destination
Chain ufw-before-forward (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ufw-user-forward all -- anywhere anywhere
Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-logging-deny all -- anywhere anywhere ctstate INVALID
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ufw-not-local all -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900
ufw-user-input all -- anywhere anywhere
Chain ufw-before-logging-forward (1 references)
target prot opt source destination
Chain ufw-before-logging-input (1 references)
target prot opt source destination
Chain ufw-before-logging-output (1 references)
target prot opt source destination
Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-user-output all -- anywhere anywhere
Chain ufw-logging-allow (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere ctstate INVALID limit: avg 3/min burst 10
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10
DROP all -- anywhere anywhere
Chain ufw-reject-forward (1 references)
target prot opt source destination
Chain ufw-reject-input (1 references)
target prot opt source destination
Chain ufw-reject-output (1 references)
target prot opt source destination
Chain ufw-skip-to-policy-forward (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-input (7 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-output (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-track-forward (1 references)
target prot opt source destination
Chain ufw-track-input (1 references)
target prot opt source destination
Chain ufw-track-output (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere ctstate NEW
ACCEPT udp -- anywhere anywhere ctstate NEW
Chain ufw-user-forward (1 references)
target prot opt source destination
Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT udp -- anywhere anywhere udp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT udp -- anywhere anywhere udp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT udp -- anywhere anywhere udp dpt:25
ACCEPT tcp -- anywhere anywhere tcp dpt:submission
ACCEPT udp -- anywhere anywhere udp dpt:submission
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT udp -- anywhere anywhere udp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s
ACCEPT udp -- anywhere anywhere udp dpt:pop3s
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
ACCEPT udp -- anywhere anywhere udp dpt:imap2
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT udp -- anywhere anywhere udp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
Chain ufw-user-limit (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-user-logging-forward (0 references)
target prot opt source destination
Chain ufw-user-logging-input (0 references)
target prot opt source destination
Chain ufw-user-logging-output (0 references)
target prot opt source destination
Chain ufw-user-output (1 references)
target prot opt source destination
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@arnold,
Ok. It seems that the connection is still refused on 127.0.0.1:
I don't see a 192.168.x.x. in my ifconfig though:
What's the command for port forwarding to the internal IP and port? TY!
Ok. It seems that the connection is still refused on 127.0.0.1:
forge@myultratrust/var/log $ openssl s_client -connect 127.0.0.1:993
connect: Connection refused
connect:errno=111
I don't see a 192.168.x.x. in my ifconfig though:
/sbin/ifconfig -a
eth0 Link encap:Ethernet HWaddr 04:01:3f:67:2c:01
inet addr:104.131.13.87 Bcast:104.131.63.255 Mask:255.255.192.0
inet6 addr: fe80::601:3fff:fe67:2c01/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1503521 errors:0 dropped:0 overruns:0 frame:0
TX packets:1380023 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:890370056 (890.3 MB) TX bytes:1320284280 (1.3 GB)
eth1 Link encap:Ethernet HWaddr 04:01:3f:67:2c:02
inet addr:10.132.97.202 Bcast:10.132.255.255 Mask:255.255.0.0
inet6 addr: fe80::601:3fff:fe67:2c02/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:578 (578.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:434190 errors:0 dropped:0 overruns:0 frame:0
TX packets:434190 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:376198994 (376.1 MB) TX bytes:376198994 (376.1 MB)
What's the command for port forwarding to the internal IP and port? TY!
ASKER
@Dave Balwin, can you share what you have in your /etc/ufw files? They have all the settings for the firewall rules I think.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@Dave Balwin, ok, thanks!
I have this
But the Postfix SMPTS is using 25:
And when I try this:
I have what you have /etc/ufw/applications.d in the dovecot-common file too. Not sure why sudo ufw app info cannot find the Dovecot profile.
I have this in my /etc/ufw/applications.d/po stfix
@arnold,
I'm not sure if the system is a router. I'm using Digital Ocean for my Cloud server. I think they are similar to Linode.
How do I check which rules to which interface they apply? Or I guess how would I change them to apply to the correct IP?
I have this
sudo ufw app list
Available applications:
Dovecot IMAP
Dovecot POP3
Dovecot Secure IMAP
Dovecot Secure POP3
Nginx Full
Nginx HTTP
Nginx HTTPS
OpenSSH
Postfix
Postfix SMTPS
Postfix Submission
But the Postfix SMPTS is using 25:
sudo ufw app info Postfix SMTPS
Profile: Postfix
Title: Mail server (SMTP)
Description: Postfix is a high-performance mail transport agent
Port:
25/tcp
And when I try this:
sudo ufw app info Dovecot Secure IMAP
ERROR: Could not find profile 'Dovecot'
I have what you have /etc/ufw/applications.d in the dovecot-common file too. Not sure why sudo ufw app info cannot find the Dovecot profile.
I have this in my /etc/ufw/applications.d/po
forge@myultratrust/etc/ufw/applications.d $ sudo vim postfix
[Postfix]
title=Mail server (SMTP)
description=Postfix is a high-performance mail transport agent
ports=25/tcp
[Postfix SMTPS]
title=Mail server (SMTPS)
description=Postfix is a high-performance mail transport agent
ports=465/tcp
[Postfix Submission]
title=Mail server (Submission)
description=Postfix is a high-performance mail transport agent
ports=587/tcp
~
@arnold,
I'm not sure if the system is a router. I'm using Digital Ocean for my Cloud server. I think they are similar to Linode.
How do I check which rules to which interface they apply? Or I guess how would I change them to apply to the correct IP?
ASKER
I tried disable the ufw and using telnet but the connection was still refused:
forge@myultratrust/etc/ufw /applicati ons.d $ sudo ufw disable
Firewall stopped and disabled on system startup
forge@myultratrust/etc/ufw /applicati ons.d $ telnet livingtrustdiy.com 993
Trying 104.131.13.87...
telnet: Unable to connect to remote host: Connection refused
forge@myultratrust/etc/ufw /applicati ons.d $ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
forge@myultratrust/etc/ufw /applicati ons.d $ telnet livingtrustdiy.com 993
Trying 104.131.13.87...
telnet: Unable to connect to remote host: Connection refused
forge@myultratrust/etc/ufw
Firewall stopped and disabled on system startup
forge@myultratrust/etc/ufw
Trying 104.131.13.87...
telnet: Unable to connect to remote host: Connection refused
forge@myultratrust/etc/ufw
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
forge@myultratrust/etc/ufw
Trying 104.131.13.87...
telnet: Unable to connect to remote host: Connection refused
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I provided my answer but wanted to give points to those that helped as their answers made me search for the things that I needed to search for. :)
ASKER
@arnold, this is what I get:
Open in new window
When I look in /etc/ufw with ls -al:
Open in new window
But not sure what I should be changing. I read these update the iptables. I also read the order of the rules are important but not sure how I go about it. I'm using Ubuntu 14.04.1 - fyi.
forge@myultratrust/etc/ufw
Ubuntu 14.04.1 LTS \n \l